The Economist is good but has the occasional US-centric blindspot. I recall an analysis in there saying how Hollande was very unlikely to be elected because he was "too Socialist". Which showed a great grasp of French society, I must say! :D Their take on the attacks on Libya was either staggeringly ignorant or had to mendacious in how completely they followed the US government's party line on it being an internal popular uprising. Generally they're pretty good but nobody is without weaknesses.
4617 posts • joined 26 Jul 2008
If that is the case, then surely Britain would similarly benefit if were were a "Northern industrial exporter" like Germany. I think the real question is why we aren't and for that, we have to look considerably closer to home than Brussels. If the EU benefits rich and productive countries (as you point out), our aim should be to be one of those countries, not to drop out of the race.
Re: There was never a need for a combined currency all over Europe
Agreed. There's also the fact that any remotely respectable nation is now part of some powerful trade bloc these days. That gives you a lot of negotiating power. Obligations too, but better in than out or countries wouldn't be members. I for one don't want to be dwarfed by the EU, NAFTA and others. I want to be able to negotiate on parity. And even if some people have an inflated idea of the UK's size on the world stage, we can't do that by ourselves.
Re: There was never a need for a combined currency all over Europe
Multiple currencies - a national and a regional - are a very good idea. George Monbiot once wrote a very good article in their favour which, iirc, I came across in the Economist some years ago. The most important part of the EU is the freedom of movement and the trade benefits (internal is part of it, but it is also not for nothing that most of the world has bundled itself up into trade blocs for negotiating power). The single currency is a way of achieving that. But as you can see from the UK, we have those without monetary union so it's possible.
Multiple currencies might be a way of getting some of the good from both joining and staying out. You effectively allow two currencies to compete against each other.
That's a lot of words...
I have a shorter article of about three sentences: "Greece only got into the EU because Goldman Sachs helped them fiddle their financials and because some of the EU leaders were keen on expansion for political reasons. It never was a good fit and should never have been allowed in. And when they crashed rather than infinite bailouts for which the taxpayer takes the risk, they should have been allowed to crash out of the EU rather than dragging everyone else down with them."
Any of the above would make the rest of what was said academic. Yes, there are problems with a currency zone but there are benefits too. Not everything is about setting the most perfect interest rate possible. In reality, Tim is talking about, in his example, people in the North of England being charged more for debt than those in the South, or vice versa. Contrary to his article above, there are downsides to such discrimination.
The EU can certainly absorb a little imprecision in interest rates for all the benefits such as negotiating as a large trade bloc, ease of labour migration, ease of internal trade. This is much like one of those interminable Windows vs. Linux arguments of the AGW debates we have on here where someone picks out one element and says: "Look, this could be better" and tries to turn the whole discussion into one facet rather than the whole picture.
It is survivable that Spain is in the same currency union as Germany. Not ideal, but not critical either. In general, the rich drag up the poor a little bit as a consequence. Which is a good thing long term because otherwise you just get ever widening gaps which end extremely badly. What the EU can't survive is a country as rife with corruption and reckless borrowing as Greece. They should have been kicked out long before (or not admitted). Then we wouldn't be having this conversation because the issues Tim is talking about would be far less exacerbated by the general malaise Greece is largely responsible for. Spain and Ireland would pick up quickly enough. Such peaks and troughs are inevitable, not a consequence of monetary union.
They're not TVs anymore.
I was looking for a new TV recently. It's getting very hard if not impossible, to find one that is just an output device. They all come with web browsers, Skype, microphones (for voice control) sometimes built in cameras, and other such things. Just seeing a TV advertised as "quad-core" makes my skin crawl, tbh.
Maybe it's old UNIX philosophy I admit, but I like the principle of a thing that does one thing and does it well. I'll break that philosophy when there's a good reason such as convenience (I like my hybrid tablet) but I need a good reason for it. Any TV I buy is going to be hooked up to other devices because these devices will do a better job of their task. I have no need for it to have some old and shortly to be out of date web-browser built in, or the hardware drain and attack surface that goes with it. Just sell me the TV, not all this extra stuff that I can do better myself.
Eulampios - an argument about Android vs. Windows security based on your demands about how many times I have personally known a user affected by malware is as pointless as you creating the argument in the first place. I commented about the dire state of Android updates by OEMs and how that needed to be resolved. Why you feel the need to leap in and point at Windows to make it an OS vs. OS battle, I don't know and little care. And arguments about how you personally have never had anyone come to you for help with "highjacked Android desktops" as you put it (!), is no basis for any kind of insight.
You use the phrase "altera pars" which means listen to the other side. Why do you see things as "sides" or respond to someone pointing out a very real problem in the Android ecosystem with attacks on Windows? You are absurdly partisan and it is, quite frankly, boring.
EDIT: And as, based on previous experience, you're unlikely to let this go, I'll answer the pointless question with an answer that is equally meaningless statistically: "once". In the last couple of years I can recall one person coming to me with a problem of malware on their Windows machine. They had received one of those fake calls from people claiming to be from Microsoft and got her laptop infected. The comparison number of people who have come to me with problems with an Android phone is zero. So I suppose to you that represents Android being infinity times more secure, does it not? Anyway, most people I know have iPhones and most of those with less money have Windows Phones so far as I've actually paid attention to what my friends use. One has a Meego phone, iirc. Is any of this helpful? No, didn't think so. Maybe at least it will show how pointless you insisting on using such metrics for comparison is, however.
Re: Who has paid for the survey?
>>"They don't list "Ubuntu with a DE" either… They just list Ubuntu, and with Ubuntu, it is a user choice (default: enabled) as to whether a web browser is installed or not."
Then why don't you drop the author of the study a line. It is apparent to me that they meant default installs and I would imagine pretty clear to everyone else but if you think it's ambiguous just email them. They've been responding to questions pretty quickly. I'll happily backtrack if they say that they meant Ubuntu non-Server with the desktop environment deliberately unselected. But that's not going to happen.
This is a study of default installs. That's why it can include third party at all and why, as they said, they separated out the kernel as its own category.
EDIT: I say they've been responding to comments, I should say the polite ones to be clear. There are a lot of nasty and abusive comments on there which I hope they will ignore.
Re: Which begs the question
>>"Well that's one of the most fallacy laden responses I have ever seen!"
Really? Then allow me to list the fallacies in your response.
>>"First things first, "begging the question" is not a phrase it is a defined logical fallacy."
It is most certainly a phrase, it may or may not also be this other thing. False Dichotomy.
>>"I also grew up in the UK and was taught the correct meaning of "begging the question" at school"
Assuming the Answer. You declare that it is the correct meaning because you believe it to be so. Were you to argue that it was the original meaning, you would have more of a case perhaps. But even there the phrase in that sense is actually a mistranslation of petitio principii which means "assuming the initial point". It is ironic that you are arguing that your definition is correct because your misuse is a old. If you doubt any of this, by all means check and you'll find that I am correct.
>>"Asserting that a particular incorrect usage of the phrase by a large number of people makes your use correct is also incorrect, just because a proportion of people use a phrase in that way does not make that use correct."
Two flaws in this one. Firstly, a repetition of assuming the answer (stating it is incorrect therefore my explanation must also be incorrect). Secondly, you argue that words have meaning other than their usage in order to try and show how a minority definition of the phrase is right. This argument carries some weight in some cases - such as my example of someone calling a hammerhead a whale. It has weight because the majority of people have a different understanding; there is a scientific classification that ties to it; and there is an existing better word to use which is "shark". None of these are an absolute argument, but they are all good ones and amount to it being legitimate to correct someone. "Begging the question" isn't a word, it's a phrase with two different meanings. One is a minority use debating term which also has a better and far less awkward alternative which is "Assuming the Answer". Something I know you are familiar with because of your vaunted experience of Comprehensive School Debating Societies. (A rather sad Appeal to Accomplishment, btw.)
>>"The next part of the response is not a discussion of the reason behind the point it is simply an attack on the person making the post."
Correct. Just as they began this with an attack on someone else for using a phrase that everyone understood and which is commonly used that way by most people. An attack or insult of someone is not a fallacy unless it is used in lieu of argument. With me, you will find it is always a supplement.
>>"I was lucky and went to a South Yorkshire pit village Comprehensive school where we had a debating society, we were encouraged to learn how to spot fallacies in arguments and how to counter them."
Excellent. I suggest you read your own post in that case.
Re: Lies, damned lies...
>>"It was a 3.6GB download on top of Windows 8. That's a lot of GUI..."
That update pack incorporates the majority of the patches and updates that were issued to Windows 8 in between 8 and the release of 8.1. What you downloaded isn't just updates to the UI, it bundles together all of the intervening changes that Windows 8 receives as well.
>>"I know what tune exactly you're humming, h4rmony, yet let me kindly ask your definition of the security in the wild? There is a virus/trojan in the lab or wild receptively. Never heard about "security in the wild", though."
"In the wild" means real world common usage. So if an OS has fixes for 70% of its vulnerabilities, but most of those fixes aren't installed by the majority of the OS's user base, as is the case with Android, then there is a large discrepancy between the OS in the wild and in the more controlled environments of the vendor and minority exceptions.
>>"If that was the atrocity you're talking about, why didn't you say a word in all of the previous posts about the Windows viruses/trojans atrocious "security in the wild"?"
Because the point I was making was the importance of patch release processes and how OEMs are severely damaging Android security and making it a joke in the IT world through their unwillingness to patch things. I didn't go on a tangent about Microsoft or viruses because these are irrelevant to whether what I say or not is accurate. All supported Windows OS installations have access to the latest patches. Most Android ones do not. Hence when I talk about this problem, I'm talking about Android.
Re: Put up or shut up
>>"Where did you find any standards in Microsoft release process ??? Or did you mean the patch/update release process?"
I was talking about software vulnerabilities and fixes so I thought the context made it clear. Yes, I'm talking about Microsoft's more standardized release process for updates.
Re: Who has paid for the survey?
>>"Gentoo doesn't. Debian doesn't unless you install the desktop environment. Ubuntu doesn't unless you install the desktop environment. OpenWRT doesn't. Linux From Scratch doesn't.
And none of those are the distros listed in this report. I mean, Ubuntu is, for example, but not "Ubuntu without a DE". If they're separating out Windows 8 and 8.1 when they are certainly separating out Ubuntu and Ubuntu Server.
Re: Lies, damned lies...
>>"As the nitwit in question, I should maybe point out that language can be tricky too, especially if you ignore part of what's written."
Yes, I did. You put a minor get-out clause in there and then proceeded to roll forward with your conclusion anyway.
>>"There is no evidence in the article which enables anybody to say how many vulnerabilities in Win 8 also affect Win 8.1 (to use your example).
It doesn't need to be in the article. We can bring the context ourselves. Windows 8.1 and Windows 8 are overwhelmingly the same code base and this is trivial to check by inspection if you doubt it. 8.1. is mostly some GUI changes. One would have to be entirely ignorant of this fact to think summing the total of two different versions of Windows was a legitimate comparison to a single version of OSX.
>>"At least, that's all I can say - and that's all I did say."
That isn't all that you said. You titled your post "lies, damned lies and statistics", stated that it was comparing apples to oranges and declared Microsoft to be the "loser" with a small admission that it might not be true. When anyone with any context would rightfully throw out the idea of summing the bugs from 8 and 8.1 after a moment's thought. Your entire post is based on a premise that is trivial to show is wrong. That you acknowledge the premise doesn't mean it's not silly to hold it up as a reasonable possibility.
Re: This is not a football match. @h4rm0ny
There's not much I can argue against in that post. Seems to be (sadly) right on the money. Especially your summary of the main distros. I'm quite sure that Poettering probably would take it on - seeing as there's nothing he's encountered so far that he hasn't tried to vacuum into systemd. But like you, that's not a solution I look forward to seeing.
Re: Biased reporting
>>"If you combine all the Windows versions together (as has been done for OS X) then Windows has 248 vulns, that's 100 more than Apple."
Set theory is not your strong point. As pointed out elsewhere, nearly all of those vulnerabilities will be the same one present in multiple versions.
Re: Put up or shut up
>>"A methodology that generates a result that's so much at variance with common experience needs to come with an explanation. Or at least a theory."
Who says that it is at variance with common experience? I've generally found GNU/Linux and Windows to be comparable in security (assuming competent admin in both cases) with a slight practical edge to Windows because of their more standardized (imo) release process.
>>"Windows is difficult to make secure because of its structure and complexity, and all the wonderful "features" which seemed like a good idea (to Microsoft) but are now forgotten, but still available (to hackers)."
Like being able to pass in function definitions by text to Bash as an environment variable? Shame on you - this is the first out and out partisan post in this thread.
EDIT: What did I say in my first post here? We'll find out when it gets to lunch time? Lo and behold it hits 12:30 and we suddenly get our first two partisan shots. *sigh*
>>"By far the biggest issue Android has is that idiots will happily install every piece of malware they can find as long as it pretends to be a free fart app"
That's what I meant when I compared it to XP and how trying to educate users just didn't work for MS which was what they tried to do for a long time. Send an attachment saying "BritneySpearsNaked.exe" and half of my colleagues back then would cheerfully infect themselves. :( That's why pretty much every Windows system these days as anti-virus built in by default and tools like SmartScreen. Microsoft gave up waiting for the kids to grow up and just went back into parent mode (for better or worse).
You can't stop people being stupid, but there's definitely room for Google to work on the same problem with Android.
Re: This is not a football match. @h4rm0ny
>>"The former is unlikely to happen, as the distro specific sysadmin stuff is where people like RedHat and Canonical make some of their money. The latter cannot happen as there is no accepted Linux standard or even standardisation authority, and even if there were, it would be dominated by the commercial distro maintainers, because they are the only people who might have resources to invest in a standard, and then we are back to the former point."
That's a really interesting post, I've just snipped out part of it. It might be optimistic (or naïve according to view) but perhaps there is a third option. Linux grew out of a community of people collaborating voluntarily. Perhaps given there is an evident need, the same can happen again. It may seem unlikely, but then the entire Open Source movement was, and yet people made it happen.
Re: Lies, damned lies...
>>"The table shows that, if you combine all versions listed, Windows OS has 248 vulnerabilities, making Microsoft the clear winner/loser (always assuming that no nasty is double-counted)."
Do you really think that most of the vulnerabilities listed for "Windows 8.1" are not also vulnerabilities in "Windows 8"? That there isn't massive overlap between the different versions and you're not just counting the same vulnerability twice? Maybe we should add up all the different Linux distributions make Linux the worst OS instead of OSX? It's using the same logic you just have!
"Statistics can be tricky - but they're not that tricky."
Too tricky for you, nitwit.
Re: Which begs the question
I grew up in the UK hearing "begging the question" in the sense that something immediately demanded an obvious question be asked. So did most people grow up with that meaning around them. It's not like a word such as "whale" where it has a definition independent of common meaning and if someone calls a shark a whale you can correct them. It's a phrase. You have a different and far less intuitive understanding of the phrase which may or may not be older, but is not authoritative - because it's a phrase.
The only phrase that can be said to be inherently wrong is "I could care less" unless that's actually what someone intends to convey which it seldom is. Other than that I get tired of somebody popping up whenever other people are using a common phrase in the way both they and the listener are used to using it and attempting to tell them they're wrong and they should use the newcomer's definition. Really, such behaviour just begs the question of what they actually want by doing this, my answer to which is that they just like pretending they know more than other people.
TL;DR: Pedant Fail.
Re: This is not a football match.
>>"It has a LONG way to go on the usability front."
I actually find it fine to use, though I will concede I started out with HP UNIX and XWindows so I may not be fully calibrated to the average user. But still, I think Distros like Mint are out of the box pretty good. I agree it is light years ahead of where it was and I have many memories of hours spent editing xorg files trying to get it to work right.
The area that I personally think GNU/Linux might want to improve on a bit more, is enterprise tools. I'm happy to be corrected on this one if I'm wrong. I have programmed on GNU/Linux professionally and used to use Gentoo as my primary so I therefore have a reasonable understanding of the principles and how it is put together, but I have never administered a company's Linux systems so I may not have a solid feel for this - like I say, if I am wrong I am happy to be corrected. But last year I encountered puppet for the first time. I also have had to witness the painful, painful way in which user accounts are being managed across many Linux boxes / VMs. The sysadmins doing all this aren't idiots, they're smart people. So if this is really how things are done in the Linux enterprise environment then they are actually behind the tools that MS provide for this by a considerable margin. Given Linux's stronghold is backend enterprise, I think this is as important as UI refinements, imo.
Of course it's difficult to find people who are experienced sysadmins of both Windows AND Linux, so informed comparisons are hard to come by. Unlike most of my posts, I wont be arguing in defence of this one either way - these are just my impressions.
Re: Comparing like with like ?
If you read the linked article, he actually breaks it down by GNU/Linux distribution (that's even referred to in El Reg's summary) and he also addresses break down of the vulnerabilities between OS and application. He's actually done an extremely good job here - I'm impressed.
Android isn't in the list. I went back to the original article and found its entry:
6 total vulnerabilities 4 high severity 1 medium severity 1 low severity
This is really interesting. Why? Because the state of actual security of Android in the wild is atrocious. And yet in terms of vulnerabilities the OS itself is pretty low. Why the contradiction? Most people probably are already answering: OEMs. Regardless of whether it should be the OEMs stepping up or Google having set up a different model in the first place, the unpatched and out of date Android systems out in the world are innumerable. Vulnerability stats aren't the only key part of security - update model is a critical part so any discussion about relative security of different platforms needs to include this.
If Google genuinely thought that their 90 day policy improved security then where they should direct it, is against their own OEMs. Either Google is responsible for Android security or it is not. And if it is not (as is frequently stated by those who argue against critics of Android security), then Google should be treating the OEMs that same as it treats other companies such as Apple and Microsoft. Android is currently where Microsoft was in the XP era - fragmented updates across a userbase that is largely security-ignorant. And like Android, MS wasn't selling it directly in many of these cases, but leaving responsibility with the OEMs.
MS eventually realized two things: One, whether it was the OEMs fault or not, it was harming them. Two, educating users on security wasn't working. So they took back control and they started putting in their own security tools even though that upset their business partners who sold anti-virus software of their own. Google needs to look at doing the same thing even if it's painful or upsets their OEMs.
This is not a football match.
I have hope that this comments section will not become a sports match - all of the comments so far have been non-partisan. I guess we'll find out after lunch when the East Coast has woken up and seen this. ;)
Anyway, I don't think this shows a failure on GNU/Linux's part. I think instead it shows how far Windows has come. Go back to the Windows XP era and this situation was far reversed. XP had a poor security model and was riddled with problems. GNU/Linux has actually improved as well. It's just that Microsoft bit the bullet with Vista and went through the massive pain of re-doing much of their system from the ground up. We're now seeing the long-term benefits of that process.
And aside from changes to their security model and obvious improvements to their quality control, there's another thing MS addressed which isn't impacting those figures above but is impacting actual daily security a lot. And that is they took some of the responsibility for security back from the user and manage it themselves now. All Windows systems can have Windows Defender / SmartScreen / etc on and running and any that doesn't have Third Party anti-malware software running normally does. Windows Defender isn't fully as comprehensive as something like Trend Micro or Kapersky, but it does the job and has low-impact. The fact that modern Windows installs have proper anti-malware up to date by default now is making a big difference to the general state of end user security.
Re: Which begs the question
You haven't specified a subject but I'm going to assume that you are talking about GNU/Linux. There are two answers to your question (neither mutually exclusive). The first is that you're wrong - there actually aren't a "vanishingly small number of attempts to exploit them". Companies face active attempts to compromise their GNU/Linux systems daily. It is end users who don't see many attacks.
And that last part leads into the second answer which is regarding the disparity between attacks on GNU/Linux end users and those on Windows end users. The reasons are fairly elementary. If it takes the same amount of effort to craft an attack on either OS, are you going to direct your malware efforts at the OS that has a huge proportion of the total end users, or the one that has a small proportion. Furthermore, are you going to target the userbase that is a mix of technically competent and technically incompetent people, or the one that is stripped of the technically incompetent people?
Short version: For back-end systems, your question is actually wrong - both GNU/Linux servers and Windows servers are actively targeted because they have equal value. For end users, the reason for the huge disparity is that the two sections do not have equal value.
>>"These numbers prove that nothing is 100% secure and bug-free, despite certain sections of the IT community wearing rose-tinted spectacles."
Indeed. I've had numerous arguments with GNU/Linux zealots (note: zealot != user) on here. Say what you want about Windows but no-one has ever sat back and said: 'I don't need to worry about security, I use Windows".
Anything as sophisticated as an OS is going to have flaws. I think most actual GNU/Linux sysadmins are smart enough to know how seriously they have to take security, but there is a second tier of zealots who talk as if GNU/Linux is far ahead of Windows in security. That hasn't been true for quite a long time now, but I still see it routinely on these forums. There was a post here just the other day that said Windows had fewer vulnerabilities than Linux in the last year (as this report suggests) and it got downvoted to oblivion.
Re: Here we go again
>>""I's too much trouble to fix, so let's throw it out and start over", is one of the biggest danger signs in programming, amirite Netscape, Longhorn?"
You're very right and it was what I came here to say when I read the article. I'll look at it fairly when it arrives, but this is a danger sign to me.
Still, I'm glad they didn't go the Webkit route. It would have been bad for them and it would have been bad for Firefox to be isolated like that.
>>"So, when Apple decided to stick it to the entire music industry (including indies) all weenies cheered and life was good. Music became cheap. When Google does the same thing, weenies boo and hiss because "oh noes, poor artists are starving".
Apple let me buy the tracks I wanted as digital downloads which is how I listen to them. Google shoves ads in my face and tells artists that if they don't sign up to certain terms Google will continue to profit from their music and just not pay them any more.
I don't see the similarity, to be honest.
Re: Doubly unusable if he moved the document
>>"Unfortunately $EDITOR edited the word doc with change tracking. Then $EDITOR scribbled on a print-out with red ink. And they want me to make another pass through it and do some structural changes. So my workflow is:"
I'm unconvinced MS Word's inability to merge in one of your editor's hand-written amendments on hard-copy is a reason to call it "utterly unusable".
>>"I wrote the bloody thing in Scrivener (which is at heart an IDE for complex compound documents like, oh, trilogies), then generated a word document as output because my editors insist on working in Word because corporate IT at the big publishers thinks everyone uses it"
Again, not really a reason for attacking Word. You're basically damning it for being successful. If the situation were the other way around and they all insisted you submit your work in Scrivener format and you wanted to use Word, you would be in the same situation. Of course Scrivener will export to Word because Word is the common standard and so it needs to. If the situations were reversed Word would have export support for Scrivener for the same reasons. But you would still be in the same situation as minority user. You would, for example, lose all your change tracking in your Word document when it had to go into Scrivener and back again.
So again, this is an artefact of your choice in writing tool, not any indicator that Word is "utterly unusable".
>>"even though many deeply serious professional authors won't touch it with a barge-pole."
And plenty of other authors do use it fine. I'm not sure if they are deeply serious ones, or why seriousness is so highly regarded by you, but again, you're publically slagging off the work of some very talented programmers who have put years of work into the software for no good reason that I can see here. All of the items you list are more to do with you than with Word.
Re: I like MS Word...
>>"If he can't track changes, it is broken."
Actually, from the context of what was written, it seems moving things back and forth between LibreOffice and Word on a Mac platform is what messes up the change tracking. That hardly justifies statements that Word is "utterly unusable" or the general attacks on it as rubbish that some seem to be posting here.
Re: re: Word is for office drones.
"Dude, you're a barista..." was one of the lines from a Samsung ad. It's what one person in the Apple store queue says to another one when he is rhapsodizing about how the Apple technology enables him to be creative. It's pretty on-topic as a comeback, just FYI.
I like MS Word...
It's good. Seriously, author with noted political stance on software has trouble with Word? This is a news story now? I helped someone who was saying almost exactly the same thing about Libre Office last week which I'd installed for them because they wouldn't pay for Word. They couldn't figure out how to change the line spacing. Is that Libre Office's fault that they couldn't figure it out and said the software was impossible to use? No, they're just technically inept and prone to hyperbole.
Re: Some inane thoughts on the smaller points grammar...
>>Why do some people insist on capitalizing the first letter in each word of 'open source,' as in: "Open Source"? Did it become a brand name somewhere along the line? [...] Greets from the dirty pedant!
You don't get much more pedantic than I do. I capitalize Open Source because I am referring to a specific category of software known by that name. I.e. it is a proper noun, similarly to how in the same post I capitalized Libre rather than just saying "libre software" which could refer to things other than those I meant. I.e. Open Source is a proper noun in this context.
And to anticipate any extreme pedants about to claim that it is a proper name rather than a proper noun because it is more than one word, you are wrong. There is no good foundation for such an arbitrary rule and you are just attempting to sound clever.
EDIT: And to the AC I am replying to, you have used an icon that is incorrect by convention. It should be the icon you see in the top right of this post when attempting pedantry. ;)
Re: Another Open Source security problem
>>"You need a C compiler for that, right? So you better check your C compiler sources. They look fine, so you compile your C compiler. With a C compiler binary. What could possibly go wrong?"
Not this again. Yes, there can be exploits hidden in a compiler but again, you seem to be responding to my statement that it is very hard to hide such backdoors in Open Source software with examples of things that are (surprise!) very hard to pull off. You need a compiler from somewhere to get started on the process, even if you're then compiling your own compiler afterwards. So where does it come from - well, somewhere reputable. You can check the hash of the file. The hash of this file will be the same as the hash of the file for that same compiler in a lot of other places. You think someone wouldn't notice that a gcc binary was different on one set of servers to another, even though it was supposed to be the same? Of course that would be noticed. So now you're talking about having sneaked your backdoor code into all the places that distribute those binaries. Places that compile them independently from source!
Seriously, we are talking Moon Landing levels of Conspiracy to pull this off and to keep it hidden. You can pull it off maybe for very targeted attacks (still hard as any serious user is using an enterprise distribution and differences would stand out), but that does nothing to contradict my point about it being very hard to hide backdoors in Open Source software. Your link, btw, is to a proof of concept. Good luck actually getting that out there into general Open Source that people had on their computers. In contrast to proprietary where you only have to compromise the vendor.
I don't know why some people are so determined to turn everything into a My Team better than Your Team fight. In any two systems that are different, there are going to be advantages and disadvantages, otherwise they would not be different. It does no good to deny an advantage or disadvantage because it's not to one's liking. It doesn't mean one is utterly better than another in either direction, it's just called recognizing not everything is five-year-old simple.
Re: Another Open Source security problem
>>"If that's what you want to believe, you might want to read say:"
And if you think those contradict my post, you my want to read what I had to say: "it's very hard...".
In Closed Source code, you have to compromise the vendor and that is job done - yes, it possible that outside parties might find evidence of backdoors from decompiling, but it's difficult and time-consuming and, after all, we're talking about the ease of getting backdoors in there, not the relative merits of how hard they are to find (which OS also wins, btw). Whereas with Open Source, you have to camouflage your backdoor well enough to pass inspection by some very skilled people. Seriously - read your own link on the Dual Elliptic Curve Deterministic Random Bit Generator exploit and try and tell us again that this isn't far, far, far harder to pull off than a few IF statements.
>>"No that's not sensible - both for security and for resources. It should start a new thread and the thread should impersonate the user. This is how it is done in Windows."
That would still require the Samba daemon to run as root. Within the constraints of the UNIX security model I'd be interested to hear of any approach that could work without this. If you want to argue that the Windows security model (Vista onwards) is better than the UNIX model, I agree with you. But I don't see a fault here on the part of Samba's design.
Also, I'm not sure the resources criticism holds up. Why do you think it makes any relevant difference?
Re: Another Open Source security problem
Did anyone ever claim that Open Source was completely bug free? Is the claim that this bug would not have existed if this were closed source? That would obviously be a ridiculous claim, so what are you trying to say? As far as I can tell you're just creating a strawman to attack as no-ine here has claimed such a thing.
And if you're trying to argue that ability to review the Source Code doesn't help, that's plainly not true as Microsoft would not have been able to review the code, find this problem and submit a patch. Unless in your hypothetical universe of closed source Linux they were sending copies of their source to their chief competitor whilst hiding it from the public..."huh?"
The real unarguable benefit of Open Source is not that it will always have fewer vulnerabilities than closed source software, but that it protects against deliberate subversion. It may or may not have accidental flaws but it's very hard to put a statement in there saying "if blnNSA == True..." And that's important.
The other critical thing is that in most cases, open source software is also Libre software, which means people can build on it. I've been involved in Libre Software for over fifteen years and I never recall us ever arguing our code would be immaculate. Instead we argued "Free as in speech", "Usually free as in beer", but never that I can recall "Free as in free of all bugs".
Yes, there is an advantage to the "thousand eyes" principle for security - you're posting on a story about a patch that would have existed without that - but you're basically strawmanning against something no-one here has claimed.
It's because when you connect to a Samba server on GNU/Linux it forks a new process under the credentials that you're accessing with, which is sensible enough. But only root can fork processes as another user so the Samba daemon itself has to run as root.
I guess it's an artefact of grafting support for the MS protocols onto GNU/Linux rather than having a true remote login. You need to be able to act as different users without an actual direct login as them... so root it is.
>>"Has AMD caught up with Intel on single threaded desktop performance yet?"
Sadly not, though in absolute rather than relative terms, both Intel and AMD have long since passed "good enough" for most users.
Software has also finally caught up to some extent with parallel processing rather than cramming everything into a single thread. (With exceptions!).
"Yes, thats right. No two chips will run quite the same. This is a very clever idea by AMD. That's better than the previous approach used by AMD (and Intel) where no chip ever ran at its full potential; every die was graded at fixed speed bins and labelled at the one where it worked"
We used to have Socialist chips. Now we have Capitalist chips.